When it comes to “Hardening the Human OS” there is no on/off switch and no automation. The human element of security includes intelligence, unpredictability, emotions, and personality. It makes for a challenging and interesting element when attempting to reduce the potential security risks presented by the human nature.
The statistics vary, but it’s apparent that humans can unwittingly be a cause of security issues within organizations. Like any security risk prevention, there is no silver bullet. However, there are multiple tools that can be put in place to help reduce the overall risk. One of those tools is through security awareness.
Common approaches to security awareness are: training, simulated phishing tests, email notices, posters, videos, etc. These approaches can be effective in reducing risk from different angles:
|Fear, Uncertainty, Doubt (FUD)||Hopelessness|
|Facts Only and Information Dump||Boring and Not Memorable|
Regarding FUD, awareness of consequences for not employing security best practices is important but it shouldn’t be the motivator. Consumers of awareness content are typically not moved to action through FUD. They are left feeling hopeless.
Facts are important, but they should be presented in an engaging way without losing the consumer to boredom. Clever, witty, and entertaining methods tend to be more memorable.
Mandatory participation has the opposite intended effect of training. While not in all cases, but certainly in many, the learner hurries through mandatory training, with little to no retention and walks away with a chip on their shoulder for the training having wasted their time.
What is more effective is teaching a security best practice framed around the individual and the consequences can be more impactful when relating it to their personal life. For example, teaching users how to avoid falling for a phishing attempt in an employee’s personal life and work life can lead to them to pay closer attention and good habits can naturally trickle into the workplace. Even better, make it personal and fun.
Adobe Security Awareness Videos
Superbowl commercials are typically witty, clever, and fun. While the objective of the commercial is likely to increase sales, the focus is not on selling you the product. Rather to create a moment that is memorable, even shareable, and the association with product should come naturally.
At Adobe, we strive to deploy multiple approaches to security awareness. One way that we will be deploying effective methods mentioned above is through a security awareness video campaign. The videos are intended to leverage the power of humor to help create entertainment and teach security best practices. Ultimately the goal for this video campaign is to create memorable content to help put strong security habits into practice.
Each video will focus on security threats and best practices that Adobe employees and the general community should be aware of in their work and personal lives:
- Vishing (Social Engineering via Phone)
- Computer Theft
- Data Handling
- Use of Removable Media
- Wireless Internet Use
Adobe is making these security awareness videos available for free through a collaboration with National Cyber Security Alliance (NCSAM). NCSAM aims to make the internet safer and more secure for everyone. Adobe believes in empowering the customer to create. Adobe wants its customers, such as small business and individuals, to be made better aware of how to protect their business so they can focus more on being creative and growing their business.
The first video was released today the National Cyber Security Alliance’s resource website. We plan to release new videos every other month hereafter.
From our security team to you or your team, we wish you the best in helping to enhance the human element and hope these videos will be one additional tool in the security toolbox.
National Cyber Security Alliance blog: https://staysafeonline.org/blog/
National Cyber Security Alliance YouTube channel: https://www.youtube.com/user/StaySafeOnline1/
Videos created by Adobe in partnership with Speechless.
Security Business Operations & Content Lead